; This file controls how permissions are assigned to roles within VuFind. ; ; Each section of the file contains a group of rules that grant permissions. The name ; of the section is unimportant as long as each section has a unique name. This ; section contains several keys: ; ; require - Set to 'ALL' to require all conditions in the section to be met in ; order to grant the permission(s). Set to 'ANY' to allow any one or ; more of the conditions to grant the permission(s). Defaults to 'ALL' ; if unset. Note that this rule is used for combining the output of ; permission provider services. When a single permission provider ; accepts multiple lines of configuration, the way those lines are ; combined may vary from provider to provider (see below). ; permission - The name(s) of the permission(s) to grant. May be a single string or ; an array of strings. ; ; Any other keys in the section should be the names of permission provider services. ; The values associated with these keys will be passed along to the services. ; You can define your own permission providers, or use some of the following: ; ; ipRange - Grant the permission to the single IP address or to the range. ; Accepts a single IP address or a range with a minus character without ; blanks as separator. Also partial addresses can be used (e.g. 192.168 ; denotes 192.168.0.0-192.168.255.255) and IPv6 addresses are also ; supported (unless PHP is compiled with IPv6 disabled). ; ipRegEx - Grant the permission to IP addresses matching the provided regular ; expression(s). Accepts a string or an array; if an array is passed, ; permission will be granted if ANY one of the expressions matches. ; role - Grant the permission automatically to the role or roles specified ; (accepts a string or an array). Note that VuFind uses 'guest' for ; logged-out users and 'loggedin' for all logged-in users. You may ; define additional roles with custom code. ; serverParam - Grant the permission if request server params match the given rules. ; Accepts a string or an array; if an array is passed permission will ; be granted if ALL of the rules match. Rules are specified as ; [modifier] [ ... ] ; with optional modifier ~ (match instead of string comparison, values ; are treated as regular expressions), ! (not) or !~ (no match). Only ; one of the values must match (OR). ; shibboleth - Same as serverParam with support for Shibboleth multi-valued ; attributes (values separated by semicolons). The IdP entityId can be ; referenced with idpentityid. Please note that only checking the IdP ; entityId is dangerous (no authorization, anybody with a valid login ; gets the permission) so this should always be combined with a second ; rule that checks an attribute. ; username - Grant the permission to logged-in users whose usernames match the ; specified value(s). Accepts a string or an array. ; user - Grant the permissions to logged in users whose user attribute match ; the given regular expression pattern. For valid pattern syntax see ; http://php.net/manual/de/reference.pcre.pattern.syntax.php. ; ; Example configuration (grants the "sample.permission" permission to users named ; admin1 or admin2, or anyone coming from the IP addresses 1.2.3.4 or 1.2.3.5): ; ; [sample.rules] ; require = ANY ; username[] = admin1 ; username[] = admin2 ; ipRegEx = "/1\.2\.3\.4|1\.2\.3\.5/" ; ipRange[] = "1.2.3.4" ; ipRange[] = "1.2.3.7-1.2.5.254" ; permission = sample.permission ; Example configuration (grants the "sample.permission" permission to users ; who are from myCollege or who is a studentmajor (.*studentmajor.*): ; user[] = "college myCollege" ; user[] = "major .*studentmajor.*" ; List of permissions that you may wish to configure: ; ; access.AdminModule - Controls access to the admin panel (if enabled in config.ini) ; access.DebugMode - Allows ?debug=true GET parameter to turn on debug mode ; access.EDSExtendedResults - Controls visibility of protected EDS results ; access.EITModule - Controls access to the EBSCO EIT module (if active) ; access.PrimoModule - Controls access to ALL Primo content ; access.StaffViewTab - Controls access to the staff view tab in record mode ; access.SummonExtendedResults - Controls visibility of protected Summon results ; feature.Favorites - Controls access to the "save favorites" feature ; See https://vufind.org/wiki/configuration:permission_options for further information. ; Default configuration for the EIT module; see EIT.ini for some notes on this. [default.EITModule] role = loggedin permission = access.EITModule ; Default configuration for the Primo module (allow everyone by default). ; Do not disable or comment out this configuration if you want to use the Primo module! [default.PrimoModule] role[] = guest role[] = loggedin permission = access.PrimoModule ; Show staff view for all users by default [default.StaffViewTab] role[] = guest role[] = loggedin permission = access.StaffViewTab ; By default, favorites are available to all logged-in users. [default.Favorites] role[] = loggedin permission = feature.Favorites ; Example for dynamic debug mode ;[default.DebugMode] ;username[] = admin ;permission = access.DebugMode ; Example for EDS ;[default.EDSModule] ;ipRange[] = "127.0.0.1" ;ipRange[] = "192.168.11" ;permission = access.EDSExtendedResults ; Examples for Shibboleth ; ; Only users that have either common-lib-terms and entityid from idp1 or ; member and entityid from idp2 may have access to EITModule ;[shibboleth.EITModule1] ;shibboleth[] = "entityid https://testidp1.example.org/idp/shibboleth" ;shibboleth[] = "affiliation member@example.org" ;permission = access.EITModule ; ;[shibboleth.EITModule2] ;shibboleth[] = "entityid https://testidp2.example.org/idp/shibboleth" ;shibboleth[] = "entitlement urn:mace:dir:entitlement:common-lib-terms" ;permission = access.EITModule ; ; Only users with a staff affiliation can access the staff view tab ;[shibboleth.StaffView] ;shibboleth = "affiliation staff@example.org" ;permission = access.StaffViewTab ; Example for conditional filters (see [ConditionalHiddenFilters] in ; searches.ini for details) ;[conditionalFilter.MyUniversity] ;require = ANY ;ipRange[] = 1.2.3.1-1.2.3.254 ;role = loggedin ;permission = conditionalFilter.MyUniversity ; Examples for PrimoCentral (see [Institutions] section ; in Primo.ini for details) ;[default.primoOnCampusRule] ;require = ANY ;ipRange[] = 1.2.3.1-1.2.3.254 ; for the IP-range of your university's network ;role = loggedin ; if you want to allow authenticated users to use Primo module ;permission = primoOnCampus.MYINSTITUTION ; Example Shibboleth logout API access permission. ; See https://vufind.org/wiki/configuration:shibboleth for more information. ;[api.ShibbolethLogoutNotification] ;permission = access.api.ShibbolethLogoutNotification ;require = ANY ;ipRange[] = '127.0.0.1' ;ipRange[] = '::1' ; Example EZproxy authorization permission. ; See https://vufind.org/wiki/configuration:ezproxy for more information. [ezproxy.authorized] permission = ezproxy.authorized role = loggedin ; Search and Record API permissions. ;[api.SearchAndRecord] ;permission[] = access.api.Search ;permission[] = access.api.Record ;require = ANY ;ipRange[] = '127.0.0.1' ;ipRange[] = '::1' ; Cache methods admin API permissions. ;[api.Admin.Cache] ;permission[] = access.api.admin.cache ;require = ANY ;ipRange[] = '127.0.0.1' ;ipRange[] = '::1' ; Example permission for Alma webbooks ;[alma.Webhooks] ;permission[] = "access.alma.webhook.user" ;permission[] = "access.alma.webhook.challenge" ;require = ALL ;ipRange[] = "127.0.0.1"